Does Emails No Spam have any unpatched vulnerabilities?

No. All known vulnerabilities in Emails No Spam have been patched as of the latest data update. Always keep the plugin updated to the latest version.

How often is Emails No Spam updated?

Emails No Spam was last updated on Unknown. Frequent updates are generally a positive security signal.

What is Emails No Spam's security score?

Emails No Spam has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Emails No Spam Security Review — Score 100/100 (safe)

Safety Verdict

Is Emails No Spam Safe to Use in 2026?

Generally Safe

Score 100/100

Emails No Spam has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs

Risk Assessment

The "emails-no-spam" v2.7 plugin exhibits a concerning security posture primarily due to a large, unprotected attack surface. With 42 AJAX handlers identified and all of them lacking authentication checks, this presents a significant risk. Any authenticated user, or potentially an unauthenticated one depending on WordPress's default user roles, could trigger these handlers, leading to unintended actions or information disclosure.

The code analysis reveals several areas for improvement. While dangerous functions are absent and there are no recorded CVEs, the low percentage of prepared SQL statements (8%) and properly escaped output (27%) indicates a higher likelihood of traditional vulnerabilities like SQL injection and Cross-Site Scripting (XSS). The presence of unsanitized paths in taint analysis, even if not classified as critical or high, warrants attention as it suggests potential for path traversal or unauthorized file access.

Although the plugin has no recorded vulnerability history, this does not guarantee future safety. The identified weaknesses in input sanitization and authentication, coupled with the substantial unprotected attack surface, mean that existing or newly discovered vulnerabilities could be easily exploited. The plugin's strengths lie in the absence of dangerous functions and its clean vulnerability history, but these are overshadowed by the significant security concerns derived from the static analysis.

Key Concerns

AJAX handlers without authentication checks
Low percentage of prepared SQL statements
Low percentage of properly escaped output
Unsanitized paths in taint analysis
Low capability checks

Vulnerabilities

None known

Emails No Spam Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 17, 2026

Emails No Spam Code Analysis

Dangerous Functions

0

Raw SQL Queries

173

16 prepared

Unescaped Output

388

144 escaped

Nonce Checks

24

Capability Checks

2

File Operations

2

External Requests

16

Bundled Libraries

0

SQL Query Safety

8% prepared189 total queries

Output Escaping

27% escaped532 total outputs

Data Flows

9 unsanitized

Data Flow Analysis

25 flows9 with unsanitized paths

settingsPage (EmailsNoSpam_OptionsManager.php:275)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

42 unprotected

Emails No Spam Attack Surface

Entry Points42

Unprotected42

AJAX Handlers 42

authwp_ajax_clear_list_formscripts\list-recipients\ajax.php:4

noprivwp_ajax_clear_list_formscripts\list-recipients\ajax.php:5

authwp_ajax_clear_list_donescripts\list-recipients\ajax.php:10

noprivwp_ajax_clear_list_donescripts\list-recipients\ajax.php:11

authwp_ajax_reset_list_formscripts\list-recipients\ajax.php:18

noprivwp_ajax_reset_list_formscripts\list-recipients\ajax.php:19

authwp_ajax_reset_list_donescripts\list-recipients\ajax.php:24

noprivwp_ajax_reset_list_donescripts\list-recipients\ajax.php:25

authwp_ajax_delete_list_formscripts\list-recipients\ajax.php:32

noprivwp_ajax_delete_list_formscripts\list-recipients\ajax.php:33

authwp_ajax_delete_list_donescripts\list-recipients\ajax.php:40

noprivwp_ajax_delete_list_donescripts\list-recipients\ajax.php:41

authwp_ajax_schedule_list_formscripts\list-recipients\ajax.php:49

noprivwp_ajax_schedule_list_formscripts\list-recipients\ajax.php:50

authwp_ajax_schedule_list_donescripts\list-recipients\ajax.php:57

noprivwp_ajax_schedule_list_donescripts\list-recipients\ajax.php:58

authwp_ajax_templates_listscripts\list-recipients\ajax.php:66

noprivwp_ajax_templates_listscripts\list-recipients\ajax.php:67

authwp_ajax_template_listscripts\list-recipients\ajax.php:73

noprivwp_ajax_template_listscripts\list-recipients\ajax.php:74

authwp_ajax_template_donescripts\list-recipients\ajax.php:80

noprivwp_ajax_template_donescripts\list-recipients\ajax.php:81

authwp_ajax_send_list_cronscripts\list-recipients\ajax.php:87

noprivwp_ajax_send_list_cronscripts\list-recipients\ajax.php:88

authwp_ajax_list_unsubscribescripts\list-recipients\ajax.php:95

noprivwp_ajax_list_unsubscribescripts\list-recipients\ajax.php:96

authwp_ajax_list_subscribescripts\list-recipients\ajax.php:103

noprivwp_ajax_list_subscribescripts\list-recipients\ajax.php:104

authwp_ajax_currencyscripts\login\ajax.php:4

noprivwp_ajax_currencyscripts\login\ajax.php:5

authwp_ajax_include_serverscripts\servers\ajax.php:6

noprivwp_ajax_include_serverscripts\servers\ajax.php:7

authwp_ajax_settings_serverscripts\servers\ajax.php:13

noprivwp_ajax_settings_serverscripts\servers\ajax.php:14

authwp_ajax_active_serverscripts\servers\ajax.php:20

noprivwp_ajax_active_serverscripts\servers\ajax.php:21

authwp_ajax_delete_serverscripts\servers\ajax.php:27

noprivwp_ajax_delete_serverscripts\servers\ajax.php:28

authwp_ajax_support_page_proscripts\support\ajax.php:2

noprivwp_ajax_support_page_proscripts\support\ajax.php:3

authwp_ajax_support_contact_formscripts\support\ajax.php:9

noprivwp_ajax_support_contact_formscripts\support\ajax.php:10

WordPress Hooks 12

actionmy_daily_eventcreate_pages\EmailsNoSpam_Page_Timer.php:80

actionadmin_noticesemails-no-spam.php:61

actionplugins_loadedemails-no-spam.php:86

actionadmin_initEmailsNoSpam_OptionsManager.php:259

actioninitEmailsNoSpam_Plugin.php:155

actionadmin_menuEmailsNoSpam_Plugin.php:182

actionwp_footerEmailsNoSpam_ShortCodeScriptLoader.php:40

filterwp_mail_content_typescripts\my-lists\cron.php:221

filterwp_mail_content_typescripts\send-list\cron.php:234

filterwp_mail_content_typescripts\send-list\send-webservice\send-wp-mail-free.php:74

filterwp_mail_content_typescripts\support\send-mail\send.php:96

filterwp_mail_content_typescripts\templates\cron.php:148

Scheduled Events 1

my_daily_event

Maintenance & Trust

Emails No Spam Maintenance & Trust

Maintenance Signals

WordPress version tested

Last updatedUnknown

PHP min version

Downloads11K

Community Trust

Rating0/100

Number of ratings0

Active installs0

Alternatives

Emails No Spam Alternatives

Participants Database

participants-database

A

87

Build and maintain a fully customizable database of participants, members or anything with signup forms, admin backend, custom lists, and CSV support.

7K 9 CVEs